ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashok Madhavan" <ashok.madha...@gmail.com>
Subject Re: Running dynamic sp
Date Tue, 31 Jul 2007 15:23:49 GMT
i would always prefer not to use '$'. else you will have to check what is
sent in the '$' and make sure it is proper and what u want.

anyways i like the methods being different for your scenario

regards
ashok

On 7/31/07, Larry Meadors <lmeadors@apache.org> wrote:
>
> Only if you control the value of sp_name very carefully. If someone
> can set it to "drop table order;--" you're screwed. :-)
>
> Larry
>
>
> On 7/31/07, John Dahl <clickjohndahl@gmail.com> wrote:
> >
> > OK, I did it successfully with "$" operator.
> > One thing I would like to know is can we prevent sql injection in this
> case.
> >
> > Thank you for the solution.
> >
> >
> > John Dahl wrote:
> > >
> > > Ok, here is my requirement. I need to run different sp having
> different
> > > parameters. For eg. I need to run following sps
> > > 1) call generate_bill( #bill_id#)
> > > 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
> > >
> > > Can I create a single method in sql maps with dynamic tags (or
> > > programatically) so that the same method can be called to execute any
> of
> > > these sps. sp Name and parameter map need to be resolved only at run
> time.
> > > Is it possible with iBatis.
> > >
> > > Thanx in advance.
> > >
> >
> > --
> > View this message in context:
> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238
> > Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
> >
> >
>

Mime
View raw message